The following reply was made to PR protocol/1454; it has been noted by GNATS.
From: Dean Gaudet <[EMAIL PROTECTED]>
To: Anand Kumria <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: protocol/1454: Apache doesn't always understand requests with the
absoluteURI in them
Date: Sat, 22 Nov 1997 14:08:16 -0800 (PST)
On 22 Nov 1997, Anand Kumria wrote:
> 1. Is it an absoluteURI? Yes? Cool, we ignore a Host: header, if *any*
> ("Any host header field value in the request MUST be ignored.") and use
> what was specified in the absoluteURI.
This is how it works ...
> I think this makes Apache more robust ("Be liberal in what you receive, be
> conservative in what you send"). However it is hard to argue the point
> properly without seeing an accept grammar for HTTP/1.1, but the Apache
> team seems fortunate enough to have one of the document authors (R.
> Fielding) on your team, perhaps he can provide more insights.
"Be liberal in what you receive, be conservative in what you send" does
not really apply to this situation. Client authors would be foolish to
not test their HTTP/1.1 clients against Apache 1.2.x; given that it has
such widespread usage. When they do test them as such they will discover
that they really do have to follow section 9:
The Host request-header field (section 14.23) MUST accompany all
HTTP/1.1 requests.
and section 14.23:
A client MUST include a Host header field in all HTTP/1.1 request
messages on the Internet (i.e., on any message corresponding to a
request for a URL which includes an Internet host address for the
service being requested). If the Host field is not already present,
an HTTP/1.1 proxy MUST add a Host field to the request message prior
to forwarding it on the Internet. All Internet-based HTTP/1.1 servers
MUST respond with a 400 status code to any HTTP/1.1 request message
which lacks a Host header field.
Given that it's stated twice in the standard there really is no excuse.
> As I have tried to explain above the rules for processing requests don't
> consider the absence of the Host: header until rule 3. Apache is rejecting
> the document too early in its request parsing process.
That's irrelevent and wrong. If you look at the code flow you will
discover in http_main that read_request() is called before
process_request(), and you'll see that read_request() does the absURI and
Host: processing, and that process_request() does the rejection due to
absence of Host: header. So we are following the standard. (Although
there is a comment in the code which is a bit misleading, I'm about to go
correct it.)
Dean
